More recently, companies large and small are exploring ways to use social network site to support and improve sales (Youtube), to find new employees and business partners (LinkedIn) or to monitor their performance and respond to critics (Yelp and increasingly Facebook and Twitter).
However, for information security experts, businesses looking to embrace these social media channels and tools in their business need to understand and calculate the benefits and risks before engaging them.
To consider the risks of using social media for your business consider the following:
- Be careful using social media for employment vetting purposes for the same reasons that employers should not ask about religion, preferences, age, race etc.
- Once a business takes the step of using social media, they are opening up a channel that in most cases you have very limited control of; in fact almost handing over control to the public. How would the business deal with both fair and unfair criticisms and opinions expressed on social media websites and how could its reputation be affected?
- Would your employees know what business information can be disclosed on social media websites and could the business therefore be at risk of involuntary information leakage?
- Could information on the size, structure of the business and operational details such as IT infrastructure details be used for initial data gathering activities for targeted attacks?
- Could the business IT infrastructure be vulnerable to malicious software downloaded from social network sites?
- And lastly consider whether the business should monitor the activities of its employees to ensure that security is maintained and resources are not being wasted by social networking activities.
The risks of using social media encompass all aspects of the business; legal, employment, technical, operational and reputation, according to a commissum spokesperson.
The decision to use social media should therefore be taken after careful consideration of the business reasons and benefits, an assessment of all risks and the implementation of comprehensive controls to mitigate the risks which must include policies and appropriate user training and awareness measures.
